[英]Aws IAM group: Setup readonly access on log group on Terraform
Does someone know how to setup read-only access to specific log groups?有人知道如何设置对特定日志组的只读访问吗?
resource "aws_iam_policy" "logs" {
name = "AWSLogs${title(var.product)}"
description = "Logging policy for ${title(var.product)}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:Get*",
"logs:List*",
"logs:Filter*"
],
"Resource": [
"arn:aws:logs:::log-group:${aws_cloudwatch_log_group.one.arn}:log-stream:*",
"arn:aws:logs:::log-group:${aws_cloudwatch_log_group.two.arn}:log-stream:*",
"arn:aws:logs:::log-group:${aws_cloudwatch_log_group.three.arn}:log-stream:*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups"
],
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_group_policy_attachment" "logs" {
group = "${aws_iam_group.logs.name}"
policy_arn = "${aws_iam_policy.logs.arn}"
}
resource "aws_iam_group" "logs" {
name = "${title(var.product)}Logs"
}
I'm currently struggeling to setup to only have access on specified log groups, but I can only get access to them when I set my resource to "*".我目前正在努力设置为只能访问指定的日志组,但我只能在将资源设置为“*”时才能访问它们。 This is not possible when I setup this dedicated to predefined log groups.当我将其设置为专用于预定义日志组时,这是不可能的。 Does someone have a good practice or solution?有人有好的做法或解决方案吗? When I try this solution above I only get当我尝试上面的这个解决方案时,我只得到
Not authorized to perform: logs:FilterLogEvents, when I try to access it via an user which is part of the IAM group "logs".未授权执行:logs:FilterLogEvents,当我尝试通过属于 IAM 组“logs”的用户访问它时。
aws_cloudwatch_log_group.one.arn
already is the full ARN of the one
log group, ie, aws_cloudwatch_log_group.one.arn
已经是one
日志组的完整ARN,即
arn:aws:logs:us-east-1:123456789012:log-group:one 阿尔恩:AWS:日志:美东1:123456789012:登录组:一个
So refer only to that in the Resources
list: 因此,仅参考“ Resources
列表中的内容:
resource "aws_iam_policy" "logs" {
name = "AWSLogs${title(var.product)}"
description = "Logging policy for ${title(var.product)}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:Get*",
"logs:List*",
"logs:Filter*"
],
"Resource": [
"${aws_cloudwatch_log_group.one.arn}:log-stream:*",
"${aws_cloudwatch_log_group.two.arn}:log-stream:*",
"${aws_cloudwatch_log_group.three.arn}:log-stream:*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups"
],
"Resource": "*"
}
]
}
EOF
}
I was able to kind of solve this by adding a Condition filtering by tags to the Statement and making sure that the log groups and streams are tagged correspondingly:我能够通过向语句添加按标签过滤条件并确保日志组和流被相应标记来解决这个问题:
"Condition": {
"StringEquals": {
"aws:ResourceTag/sometagname": "sometagvalue"
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.